** Description changed: [Impact] - Some times libvirt fails to start a vm with the following error : + Some times libvirt fails to start a vm with the following error : libvirt: error : unable to set AppArmor profile 'libvirt-b05b297f-952f-42d6-b04e-f9a13767db54' for '/usr/bin/kvm-spice': No such file or directory - This happens because for some reason file + This happens because for some reason the apparmor profile for the guest /etc/apparmor.d/libvirt/libvirt-<vm-uuid> has 0 size. - Although, we do not now why the above file gets truncated and therefore we do not know the root cause, I open this bug to come up with a way to mitigate the issue. - E.g. when libvirt sees that this file is 0-size to delete it and create it again. + We do not now why the above file gets truncated to begin with and + therefore we do not know the root cause to fix it there. But the + condition is easy to detect and 100% broken, so we can detect and + recreate the file in those cases. [Test case] To reproduce this behaviour, create a vm and stop it, note the uuid. - Then : - ## touch /etc/apparmor.d/libvirt/libvirt-<vm-uuid> - # touch /etc/apparmor.d/libvirt/libvirt-b05b297f-952f-42d6-b04e-f9a13767db54 - # ls -la libvirt-b05b297f-952f-42d6-b04e-f9a13767db54 - -rw-r--r-- 1 root root 0 May 6 18:46 libvirt-b05b297f-952f-42d6-b04e-f9a13767db54 + For example: + $ uvt-simplestreams-libvirt --verbose sync --source http://cloud-images.ubuntu.com/daily arch=amd64 label=daily release=focal + $ uvt-kvm create --password=ubuntu f release=focal arch=amd64 label=daily + $ virsh dominfo f + ... + Security label: libvirt-1ceac8db-c1e9-40b2-8ada-a60349454fc1 (enforcing) + $ virsh shutdown f - Try to start the vm, it will fail with : - libvirt: error : unable to set AppArmor profile 'libvirt-b05b297f-952f-42d6-b04e-f9a13767db54' for '/usr/bin/kvm-spice': No such file or directory + Then make the start apparmor profile an empty file. + On Bionic/Focal that file will be non-existant by default (cleaned on guest stop), on Hirsute/Impish it will be around for admin-edit but with content. Therefore "touch" isn't enough every time, instead really put nothing to it as that is how the real issue looks like). - To be able to start the vm again just delete the libvirt-<vm-uuid> file. + $ cat /dev/null | sudo tee /etc/apparmor.d/libvirt/libvirt-1ceac8db-c1e9-40b2-8ada-a60349454fc1 + # ensure it is size zero + $ ll /etc/apparmor.d/libvirt/libvirt-1ceac8db-c1e9-40b2-8ada-a60349454fc1 + -rw-r--r-- 1 root root 0 Nov 18 09:01 /etc/apparmor.d/libvirt/libvirt-1ceac8db-c1e9-40b2-8ada-a60349454fc1 + + + Next try to start the vm, it will try to use the file it found (instead of creating a new one as it would when non-existing) and will fail doing so: + + $ virsh start f + error: internal error: Process exited prior to exec: libvirt: error : unable to set AppArmor profile 'libvirt-1ceac8db-c1e9-40b2-8ada-a60349454fc1' for '/usr/bin/qemu-system-x86_64': No such file or directory + + + To manually be able to start the vm again just delete the libvirt-<vm-uuid> file. + With the fix applied libvirt will recreate the file and guest start works again. [Regression Potential] - TBD + The new code is only active when the size of the file is zero which is a + 100% guarantee that the guest is broken and won't start. Nevertheless if + we made a mistake in the fix the area (of the many things libvirt does) + to look at is the generating and usage of apparmor profiles. [Other] Similar reported bug : https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=890084
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1927519 Title: Mitigate libvirt: error : unable to set AppArmor profile 'libvirt-<vm- uuid>' for '/usr/bin/kvm-spice': No such file or directory To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1927519/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
